OpenID Synonyms

18th Jan 2007

At this point, many people have two or more OpenID identifiers. I have my primary self-hosted identifier, my LiveJournal account, my MyOpenID account, my three XRIs (two i-names and an i-number), my Vox account and possibly more I don't even know about. I don't really have any good reason to keep all of these distinct, because they all represent me in my “personal life” persona.

XRI provides a great feature called synonyms in which several i-names can all represent the same identity. Under the hood, this is done by making the distinction between my pretty display identifiers (i-names) my the internal, non-reassignable, permanently-mine i-number. The idea is that when I use one of my i-names to log into a site, the site will display my identity as my i-name, but internally it'll know me by my i-number. Since all of my i-names point at the same canonical i-number, they are all interchangable and all represent the same identity or account on a particular site.

Given that already lots of people have several OpenID identifiers, it would be valuable to import this idea into OpenID in some sense. I may want to present my “personal life” identity slightly differently across sites — for example, I'd want to present my LiveJournal identifier on LiveJournal and my Vox identifier on Vox, but elsewhere I'll usually use my self-hosted identifier on my own domain name. However, I want the world to know that really all three of those are synonymous, just as in the real world you might refer to me by one of several names depending on the context where you are naming me.

Fortunately, XRI and OpenID 2.0 share the most important component that enables synonym support for i-names: the XRDS document. This format was originally designed as the format for return values from XRI resolution, but is also used as the return format for Yadis — the service discovery protocol used by OpenID 2.0. This overlap was intentional, aiming to facilitate the very sharing of technologies that I'm considering here. In the XRDS document is where you find the canonical identifier for a given i-name, and it is given as a URI. In the XRI case, it is of course usually an xri:// URI, but there's no syntactic reason why you can't throw an OpenID http: or https: identifier in there instead. With the CanonicalID declaration format out of the way, we need to sort out the verification process for asking the apparently-canonical identifier whether it agrees that I have one of its synonyms. I don't know enough about how XRI deals with this to know whether we can copy it verbatim for OpenID.

I've raised this and other issues, both practical and hypothetical, in a message to the OpenID general mailing list. I hope that the new united OpenID community, which has come together from various diverse technologies including OpenID 1 and XRI, will be able to find a workable solution to this so that in the future, when more and more people will have more and more identifiers, we'll have a way to bring some order to the resulting chaos.